In 3GPP (3rd Generation Partnership Project), there have been discussions related to policy control.
Namely, 3GPP has defined (e.g. from Release 6 onwards) an ALG (application level gateway) and NAT-GW (NAT gateway) based method for traversal of uncontrolled access network NATs, refer e.g. to 3GPP TS (technical specification) 23.228, Annex G, and TS 24.229.
In case a NAT device is interposed between a UE and an IMS core network, e.g. the AF/P-CSCF (application function/proxy call session control function) is configured to determine the existence of the NAT device e.g. by comparing the IP addresses in received SIP/SDP (session initiation protocol/session description protocol) messages. The SIP/SDP fields may contain the private domain IP address of the UE, while the data packets pass the NAT device and a sender may seem to have the public IP address allocated by the NAT device. Consequently, the ALG functionality in conjunction with the AF/P-CSCF may request public addresses from the NAT-GW and may modify the SIP/SDP accordingly before sending the message forward, and further, the ALG/AF/P-CSCF may initiate proper security measures (e.g. IP Sec tunneling) for the SIP signalling to be able to traverse the NAT device.
However, for example, the ALG and NAT-GW method imposes limitations:
The UE shall send a media data packet first (i.e. before the UE can receive media data packets) in order to have the NAT allocate an address and to let the NAT-GW get the address and use it as a destination address for downlink media data packets.
The NAT releases the allocated address, if there is no traffic. Applications may have to send keep-alive messages.
When the UE is using e.g. visited network's services, media path is looped via the home network, if/when the home network's P-CSCF is used.
Traversal of all types of NATs cannot be supported.
To overcome the above-mentioned limitations related to the ALG and NAT-GW method, 3GPP has enhanced the NAT traversal methodology e.g. in Release 7 specifications with IETF (internet engineering task force) originated STUN (simple traversal of UDP (user datagram protocol) through NATs) and STUN relay based mechanisms, refer e.g. to 3GPP TS 23.228, Annex G.
With these methods, the UE may be able to get an external/public IP address by an inquiry to a STUN server and to insert the external/public address in the SIP/SDP level, thus making the ALG and NAT-GW functionality redundant, in addition to removing e.g. NAT type related and incoming session invitation related limitations of the ALG and NAT-GW method.
For example, FIG. 1 shows a reference model for ICE (interactive connectivity establishment) and Outbound Methodology in order to provide a general overview and architecture of IMS access with a NAT.
As shown in FIG. 1, a communication system 100 comprises a UE 101, a remote UE 101′ and a network 102. The network 102 in turn comprises an optional NAT and FW (firewall) 1021, an optional remote NAT and FW 1021′, a P-CSCF 1022, a PCRF (policy and/or charging rules function) 1023, a PCEF (policy and/or charging enforcement function) 1024, a STUN relay 1025, a STUN server 1025a, an S-CSCF (serving CSCF) 1026 and an optional IMS access gateway 1027. The UE 101 and the remote UE 101′ comprise each ICE support by means of a STUN client/server. The UE 101 additionally comprises outbound support by means of a STUN client.
The STUN Function shown within the P-CSCF 1022 is a limited STUN Server for supporting so-called STUN keep-alive messages as described e.g. in TS 23.228, clause G.5.3.2.
For deployments where the IMS Access gateway 1027 (or other media manipulating functional entities, such as a MRFP (Multimedia Resource Function Processor)) is used, such functional entities shall be placed on the network side of the STUN server 1025a and STUN relay server 1025 (i.e. not between the UE 101 and the STUN server 1025a or STUN relay server 1025) as shown in FIG. 1. Otherwise, such functional entities will prevent STUN messages from reaching the STUN Relay 1025/Server 1025a e.g. outside of a session.
FIG. 2 shows an explanatory view of the so-called tuple terminology to be explained herein below (refer e.g. to IETF draft-ietf-behave-turn-04.txt). As shown in FIG. 2, a UE (or STUN Client) 201 may perform data communication (or network traffic) with a STUN Relay (or STUN Server) 2025 e.g. via an optional NAT 2021. An address relationship between the UE 201 (or NAT 2021, if present) and the STUN Relay 2025 may be referred to as “internal 5-tuple”. The internal 5-tuple may comprise a source address and port of the UE 201 (in conjunction with the NAT 2021, if present), a destination address and port of the STUN Relay 2025 and a protocol to be used between the UE 201 and the STUN Relay 2025.
As further shown in FIG. 2, the STUN Relay (or Server) 2025 may relay the data communication from the UE 201 to an external client 203 or another optional external client 203′. An address relationship between the STUN Relay 2025 and the external client 203 (or 203′) may be referred to as “external 5-tuple”. The external 5-tuple may comprise a source address and port of the STUN Relay 2025, a destination address and port of the external client 203 (or 203′) and a protocol to be used between STUN Relay 2025 and the external client 203 (or 203′).
In addition, the STUN Relay 2025 functionality may transfer media and STUN messages between the UE 201 (in conjunction with the related NAT 2021 device, if present) and the STUN Relay 2025 using the internal 5-Tuple as described above. The idea resides in using the same internal 5-tuple IP addresses and ports for all DP (data packet) transmissions to enable the traversal of all kinds of NATs. There are supported two ways for this purpose:
Media streams can be encapsulated e.g. within a STUN message in Send Indication or Data Indication between the UE 201 and the STUN Relay 2025 using the IP addresses and ports of the internal 5-Tuple, i.e. an “encapsulation protocol” is used. The encapsulation may contain the external IP address and port of the far end party (such as the external client 203 or 203′) communicating with the UE 201.
Another way resides in a so-called “set an active destination”, i.e. the UE 201 requests a certain external address to be used by the STUN Server 2025 for all media transmission that is not encapsulated in Send Indication or Data Indication, (i.e. the UE 201 tells the external address and port to the STUN Relay 2025 beforehand and then sends/receives data using the IP addresses of the internal 5-Tuple without having the address information of the external party in the data packets). This can be used for one external address/port pair at a time. If the UE 201 is intended to send or receive to/from another IP address/port this way, the UE 201 may be configured to deactivate the current active destination and to request for activation of the new IP address/port pair.
According to the above, when e.g. PCC (policy and charging control) is applied in an IMS network to a session using the STUN Relay 2025, a PCEF (policy and charging enforcement point) is unable to recognize e.g. the media streams or service data flows on the user plane due to the encapsulation protocol between the UE 201 and the STUN Relay 2025, and especially, the PCEF 2024 does not know which media stream is possibly using the “active destination” method. (The UE 201 may be able to change the active destination during the session by sending a request to the STUN Relay 2025, e.g. in a multimedia session when the media stream benefiting from optimized transmission changes). Consequently, the PCEF is unable to correctly apply policy and charging control to media streams or service data flows.
Furthermore, according to the above, if e.g. port numbers of the Server Reflexive Address are used for separating media flows from each other, there resides a problem in that the UE 201 may circumvent the policy and charging control.
In consideration of the above, it is an object of the present invention to overcome one or more of the above drawbacks. In particular, the present invention provides methods, apparatuses, a system and a related computer program product for policy control.
According to the present invention, in a first aspect, this object is for example achieved by a method comprising:
receiving first address information relating to a terminal and a network traffic relay entity;
obtaining second address information relating to the network traffic relay entity and a network traffic destination entity; and
sending the first address information and the second address information to a controlling entity.
According to further refinements of the invention as defined under the above first aspect,
the receiving comprises receiving the first address information as at least a portion of a session initiation protocol invite message;
the obtaining comprises sending a session initiation protocol invite message relating to an intended network traffic destination entity, and receiving a session initiation response message relating to the network traffic destination entity responsive to the session initiation protocol invite.
According to the present invention, in a second aspect, this object is for example achieved by a method comprising:
receiving first address information relating to a terminal and a network traffic relay entity, and second address information relating to the network traffic relay entity and a network traffic destination entity;
generating policy information based on the received first and second address information; and
monitoring network traffic based on the generated policy information.
According to further refinements of the invention as defined under the above second aspect,
the generated policy information comprises a filter function for network traffic related to the first address information;
the generated policy information comprises at least one of a first filter function for network traffic related to network traffic in a direction from the terminal to the network traffic destination entity, and a second filter function for network traffic related to network traffic in a direction from the network traffic destination entity to the terminal;
the method further comprises detecting an intended change to another network traffic destination entity, and holding destination address information relating to the said other network traffic destination entity based on the detected change;
the method further comprises matching the address information against one of the first and second filter functions, and policy enforcement of the network traffic based on the result of matching;
the method further comprises first examining, if the result of matching is negative, whether a data packet is constituted by a simple traversal of user datagram protocol over network address translations request message comprising a source address of the terminal and indicating a network traffic destination entity, second examining, if the result of the first examining is affirmative, whether the indicated network traffic destination entity accords with at least one of the policy information and at least one of the first and second filter functions, and updating, if the result of the second examining is affirmative, the first and second filter functions with at least one of the source address and a port of the terminal;
the method further comprises examining, if the result of matching is negative, and if the data packet causes the network traffic relay entity to permit a new destination address, and, if the result of the examining indicates that the data packet causes the network traffic relay entity to permit a new destination address not matching at least one of the first and second filter functions, dropping the data packet;
the method further comprises examining, if the result of matching is negative, and if the data packet causes the network traffic relay entity to permit a new destination address, and, if the result of the examining indicates that the data packet causes the network traffic relay entity to permit a new destination address not matching at least one of the first and second filter functions, enforcing policy control measures to the data packet;
the method further comprises examining, if the result of matching is negative, and if the data packet is constituted by a simple traversal of user datagram protocol over network address translations message requesting a change of an active destination used by the network traffic relay entity for internet protocol data packets, and, if the result of the examining indicates that the data packet causes the change of the active destination and that the requested destination address does not match at least one of the first and second filter functions, dropping the data packet;
the method further comprises examining, if the result of matching is negative, and if the data packet is constituted by a simple traversal of user datagram protocol over network address translations message requesting a change of an active destination used by the network traffic relay entity for internet protocol data packets, and, if the result of the examining indicates that the data packet causes the change of the active destination and that the requested destination address does not match at least one of the first and second filter functions, enforcing policy control measures to the data packet;
the method further comprises, if the result of matching is affirmative, determining that the network traffic is non-encapsulated network traffic, and the policy enforcement is based on destinations of individual data packets within media streams, and routes the non-encapsulated network traffic based on the generated policy information and the held destination address information;
the method further comprises, if the result of matching is negative, determining that the network traffic is non-encapsulated network traffic, and the policy enforcement is based on destinations of individual data packets within media streams and restricts the non-encapsulated network traffic based on the generated policy information and the held destination address information;
the method further comprises determining whether the network traffic is encapsulated network traffic, and, if so, the policy enforcement is based on destinations of individual data packets on a data packet-by-data packet basis for enforcing policy on the encapsulated network traffic based on the generated policy information and the held destination address information.
According to further refinements of the invention as defined under the above first and second aspects,
the first address information comprises at least one of a source address of the terminal, a source port of the terminal, a destination address of the network traffic relay entity, a destination port of the network traffic relay entity, a protocol to be used between the terminal and the network traffic relay entity, and a channel number relating to a media stream;
at least one of the source address of the terminal and the source port of the terminal further comprises network address translation information;
the second address information comprises at least one of a source address of the network traffic relay entity, a source port of the network traffic relay entity, a destination address of the network traffic destination entity, a destination port of the network traffic destination entity, a protocol to be used between the network traffic relay entity and the network traffic destination entity and a channel number of a media stream.
According to the present invention, in a third aspect, this object is for example achieved by an apparatus comprising:
means for receiving first address information relating to a terminal and a network traffic relay entity;
means for obtaining second address information relating to the network traffic relay entity and a network traffic destination entity; and
means for sending the first address information and the second address information to a controlling entity.
According to further refinements of the invention as defined under the above third aspect,
the means for receiving is further configured to receive the first address information as at least a portion of a session initiation protocol invite message;
the means for obtaining further comprises means for sending a session initiation protocol invite message relating to an intended network traffic destination entity, and means for receiving a session initiation response message relating to the network traffic destination entity responsive to the session initiation protocol invite.
According to the present invention, in a fourth aspect, this object is for example achieved by an apparatus comprising:
means for receiving first address information relating to a terminal and a network traffic relay entity, and second address information relating to the network traffic relay entity and a network traffic destination entity;
means for generating policy information based on the first and second address information received by the means for receiving; and
means for monitoring network traffic based on the policy information generated by the means for generating.
According to further refinements of the invention as defined under the above fourth aspect,
the means for generating is further configured to generate a filter function for network traffic related to the first address information;
the means for generating is further configured to generate at least one of a first filter function for network traffic related to network traffic in a direction from the terminal to the network traffic destination entity, and a second filter function for network traffic related to network traffic in a direction from the network traffic destination entity to the terminal;
the apparatus further comprises means for detecting an intended change to another network traffic destination entity, and means for holding destination address information relating to the said other network traffic destination entity based on the change detected by the means for detecting;
the apparatus further comprises means for matching the address information against one of the first and second filter functions, and means for policy enforcement of the network traffic based on the result of matching;
the apparatus further comprises means for examining, if the result of matching is negative, whether a data packet is constituted by a simple traversal of user datagram protocol over network address translations request message comprising a source address of the terminal and indicating a network traffic destination entity, and for examining, if the result of the examining of the data packet is affirmative, whether the indicated network traffic destination entity accords with at least one of the policy information and at least one for the first and second filter functions, and means for updating, if the result of the means for examining is affirmative, at least one of the first and second filter functions with at least one of the source address and a port of the terminal;
the apparatus further comprises means for examining, if the result of matching is negative, and if the data packet causes the network traffic relay entity to permit a new destination address, and means for dropping the data packet, if the result by the means for examining indicates that the data packet causes the network traffic relay entity to permit a new destination address not matching at least one of the first and second filter functions;
the apparatus further comprises means for examining, if the result of matching is negative, and if the data packet causes the network traffic relay entity to permit a new destination address, and means for enforcing policy control measures to the data packet, if the result by the means for examining indicates that the data packet causes the network traffic relay entity to permit a new destination address not matching at least one of the first and second filter functions;
the apparatus further comprises means for examining, if the result of matching is negative, and if the data packet is constituted by a simple traversal of user datagram protocol over network address translations message requesting a change of an active destination used by the network traffic relay entity for internet protocol data packets, and means for dropping the data packet, if the result by the means for examining indicates that the data packet requests the change of the active destination and the requested destination address does not match at least one of the first and second filter functions;
the apparatus further comprises means for examining, if the result of matching is negative, and if the data packet is constituted by a simple traversal of user datagram protocol over network address translations message requesting a change of an active destination used by the network traffic relay entity for internet protocol data packets, and means for enforcing policy control measures to the data packet, if the result by the means for examining indicates that the data packet requests the change of the active destination and the requested destination address does not match at least one of the first and second filter functions;
the apparatus further comprises means for determining configured to determine, if the result of matching is affirmative, that the network traffic is non-encapsulated network traffic, and wherein the means for policy enforcement is further configured to route based on destinations of individual data packets within media streams and to route the non-encapsulated network traffic based on the policy information generated by the means for generating and the destination address information held by the means for holding;
the apparatus further comprises means for determining configured to determine, if the result of matching is negative, that the network traffic is non-encapsulated network traffic, and wherein the means for policy enforcement is further to configured to route based on destinations of individual data packets within media streams and to restrict the non-encapsulated network traffic based on the policy information generated by the means for generating and the destination address information;
the apparatus further comprises means for determining whether the network traffic is encapsulated network traffic, and, if so, the means for policy enforcement is further configured to enforce policy on destinations of individual data packets on a data packet-by-data packet basis for enforcing policy on the encapsulated network traffic based on the policy information generated by the means for generating and the destination address information held by the means for holding.
According to further refinements of the invention as defined under the above third and fourth aspects,
the first address information comprises at least one of a source address of the terminal, a source port of the terminal, a destination address of the network traffic relay entity, a destination port of the network traffic relay entity, a protocol to be used between the terminal and the network traffic relay entity and a channel number relating to a media stream;
at least one of the source address of the terminal and the source port of the terminal further comprises network address translation information;
the second address information comprises at least one of a source address of the network traffic relay entity, a source port of the network traffic relay entity, a destination address of the network traffic destination entity, a destination port of the network traffic destination entity, a protocol to be used between the network traffic relay entity and the network traffic destination entity and a channel number relating to a media stream;
the terminal is constituted by a user equipment;
the network traffic relay entity is constituted by a simple traversal of user datagram protocol through network address translations relay server;
the network traffic destination entity is constituted by an external client;
the apparatus according to the third aspect is constituted by at least one of an application function and a proxy call session control function;
the apparatus according to the fourth aspect is constituted by at least one of a gateway function, a policy and charging rules function and a policy and charging enforcement function;
the apparatus is implemented as a chipset or module.
According to the present invention, in a fifth aspect, this object is for example achieved by a system comprising:
a user equipment;
an apparatus according to the third aspect; and
an apparatus according to the fourth aspect.
According to the present invention, in a sixth aspect, this object is for example achieved by a computer program product comprising code means for performing methods steps of a method according to any one of the first and second aspects, when run on a computer.
In this connection, it has to be pointed out that the present invention enables one or more of the following:
Minimum addition of address and control information e.g. to the interface protocols between AF (application function)/P-CSCF and PCRF and between PCRF and PCEF.
Possibility of concentrated STUN message monitoring functionality in a PCEF/GW (gateway).
Possibility of concentrated implementation of PCC rule binding to the STUN encapsulation and encapsulated address and protocol information and to internal 5-tuple between UE and STUN Relay e.g. in the PCEF/GW.
Enabling appliance of service data flow and media stream level policy and charging control (including e.g. bit-rate control and gating), when the STUN Relay for NAT traversal is used e.g. in a policy and/or charging controlled network.
Prevention of access by the UE on the user plane to external destinations not agreed on the signalling/session plane.
Ability to apply policy and charging control in a network simultaneously with the STUN Relay based NAT traversal method known to apply to all kinds of NATs.